From dc22a5bc7cb12f36d20291c4cbb0da7ff2aac8cf Mon Sep 17 00:00:00 2001
From: ricola <ricola@poivron.org>
Date: Sat, 7 Jun 2025 19:28:58 -0600
Subject: [PATCH] Hash reset codes in database

Otherwise, they can be reused if the database gets leaked.
---
 vedia.rb              | 13 ++++++++++---
 views/reset_email.erb |  2 +-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/vedia.rb b/vedia.rb
index 0b5eb2c..56925e9 100644
--- a/vedia.rb
+++ b/vedia.rb
@@ -130,7 +130,8 @@ end
 post '/reset' do
   @user = User.find_by(email: params[:email])
   if @user
-    @user.reset = SecureRandom.uuid
+    @reset = SecureRandom.uuid
+    @user.reset = hash_password(@reset)
     @user.save
     mail = Mail.new
     mail.from = settings.admin_email
@@ -143,7 +144,10 @@ post '/reset' do
 end
 
 get '/reset/:uuid' do
-  @user = User.find_by(reset: params[:uuid])
+  @user = nil
+  User.where.not(reset: nil).each do |user|
+    @user = user if verify_password(params[:uuid], user.reset)
+  end
   if @user
     erb :reset_change
   else
@@ -152,7 +156,10 @@ get '/reset/:uuid' do
 end
 
 post '/reset/:uuid' do
-  @user = User.find_by(reset: params[:uuid])
+  @user = nil
+  User.where.not(reset: nil).each do |user|
+    @user = user if verify_password(params[:uuid], user.reset)
+  end
   if @user
     @errors = []
     if params[:password].empty?
diff --git a/views/reset_email.erb b/views/reset_email.erb
index 4a2bd5a..68467b4 100644
--- a/views/reset_email.erb
+++ b/views/reset_email.erb
@@ -1,3 +1,3 @@
 <%= _("Visit the following link to reset your password:") %>
 
-<%= "#{settings.base_url}reset/#{@user.reset}" %>
+<%= "#{settings.base_url}reset/#{@reset}" %>